Tales from the BlackHat NOC: Fish and Chips Edition

Nov 04, 2016 | by Mike Sconzo

We're in the first day of training at Black Hat Europe 2016, and once again - the RSA Black Hat NOC team is volunteering. This round, we'll have more full packet capture, log analysis, session reconstruction, and analytics for both the wired and wireless networks provided by RSA NetWitness. Except this time, there is one difference (besides access to copious amounts of fish and chips) - the gear is running RSA NetWitness version 10.6.2, the latest and greatest available. We'll also be looking for malicious files traversing the network with Malware Analysis and ThreatGrid (don't forget if you're a RSA NetWitness customer you can get a free key good for 5 samples/day), and this year we're joined by Gigamon who is providing our network visibility.

RSA NetWitness 10.6.2. provides a number of performance enhancements, but it also brings some new and exciting features with it.

  • Expanded analysis and visibility into network traffic via the Hunter Packs.
  • Live Feedback provides a method for customers to share anonymous usage data to help us understand what workflows are common in the product. Enabling us to focus on analyst efficiencies as well as technical ones.
  • RSA Live Connect allows 2-way threat communication allowing customers additional context and detection by sharing some data back with RSA. This allows greater insight into threats through SME analysis and community sharing.
  • C2 detection expanded to logs for expanded visibility and detection.
  • Starter Bundles have been integrated into RSA Live, so that organizations have a starting place for product administration and success. These ensure a company has the minimum amount of content to detect and respond.
  • There are numerous improvements in the product: expanded dashboards, incident reporting, as well as Azure support for logs.

I know I'm looking forward to see how the latest version enables us to help the Black Hat staff deal with network and device incidents.

Author: Mike Sconzo

Category: RSA Fundamentals, Blog Post